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Abstract 

A  finite  state  automaton  is  adopted  as  a  model  for  Discrete  Event  Dynamic  Sys¬ 
tems  (DEDS).  Observations  are  assumed  to  be  a  subset  of  the  event  alphabet.  Ob- 
servabihty  is  defined  as  having  perfect  knowledge  of  the  current  state  at  points  in 
time  seperated  by  bounded  numbers  of  transitions.  A  polynomial  test  for  observabil¬ 
ity  is  given.  It  is  shown  that  an  observer  may  be  constructed  and  implemented  in 
polynomial  time  and  space.  A  bound  on  the  cardinality  of  the  observer  state  space 
is  also  presented.  A  notion  of  resiliency  is  defined  for  observers,  and  a  test  for  re¬ 
silient  observability  and  a  procedure  for  the  construction  of  a  resilient  observer  are 
presented. 
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1  Introduction 

Discrete  Event  Dynamic  Systems  (DEDS)  have  received  considerable  attention  in  the 
control  literature  recently.  Many  large  scale  dynamic  systems  seem  to  have  a  DEDS 
structure,  at  least  at  some  level  of  description.  Some  examples  are  manufactur¬ 
ing  systems  [7,17],  communication  systems  (such  as  data  networks,  and  distributed 
systems)  [1],  and  expert  systems  (such  as  CPU  design,  or  air-trafi&c  management) 
[2,3,18]. 

The  notion  of  the  control  of  a  DEDS  was,  to  our  knowledge,  first  explicitly  intro¬ 
duced  in  the  work  of  Wonham,  Ramadge,  et  al.  [5,8,15,14,20].  In  this  work,  it  is 
assumed  that  certain  events  in  the  system  can  be  enabled  or  disabled.  The  control 
of  the  system  is  achieved  by  choice  of  control  inputs  that  enable  or  disable  these 
events.  The  objective  is  to  have  a  closed  loop  system,  so  that  the  event  trajectory  in 
this  system  is  always  in  a  given  set  of  desired  strings  of  events.  This  approach  is 
generally  classified  as  a  linguistic  approach,  since  the  objective  is  defined  in  terms  of 
the  language  generated  by  the  closed-loop  system,  i.e.,  the  set  of  possible  strings  of 
events. 

This  work  has  prompted  a  considerable  response  by  other  researchers  in  the  field, 
and  one  of  the  principal  characteristics  of  this  research  has  been  the  exploration 
of  alternate  formulations  and  paradigms  that  provide  the  opportvmity  for  new  and 
important  developments  building  on  the  foundations  of  both  computer  science  (for 
example,  building  on  the  concepts  in  [4])  and  control.  The  work  presented  here  is 
very  much  in  that  spirit  with,  perhaps,  closer  ties  to  more  standard  control  concepts. 
In  particular,  in  our  work,  we  have  had  in  mind  the  development  of  the  elements 
needed  for  a  regulator  theory  for  DEDS.  In  another  paper,  [12],  we  develop  notions  of 
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stability  and  stabilizability  for  BEDS  which  might,  more  correctly,  be  thought  of  as 
properties  of  resihency  or  error-recovery.  In  this  paper,  we  focus  on  the  output  side 
of  the  problem,  namely  on  the  questions  of  observability  and  state  reconstruction. 

Partial  observation  problems  have  been  the  subject  of  several  investigations  in 
the  literature.  In  particxilar,  Cieslak,  et  al.  [1],  and  Ldn  and  Wonham  [6]  formulate  a 
supervisor  control  problem  that  can  be  thought  of  as  a  d5Tiamic  output  compensation 
problem.  Ramadge  [13],  on  the  other  hand,  explicitly  addresses  the  observability 
problem.  In  particxilar,  as  in  this  paper,  Ramadge  addresses  the  problem  of  deter¬ 
mining  the  cxirrent  state  of  the  system.  In  his  framework,  partial  observations  may 
be  available  concerning  both  the  system  state  and  events.  In  this  paper,  we  assume 
what  might  be  thought  of  as  an  intermittent  observation  model:  no  direct  measure¬ 
ments  of  the  state  are  made,  and  we  only  observe  a  specified  subset  of  possible  events, 
i.e.,  if  an  event  outside  this  subset  occurs,  we  will  not  observe  it  and  indeed  will  not 
even  know  that  an  event  has  occurred.  The  more  substantive  difference  between  [13] 
and  the  present  paper  is  in  the  notion  of  observability  that  is  adopted.  In  partic¬ 
ular,  Ramadge  requires  exact  reconstruction  of  the  current  state  after  each  system 
event,  while  in  oxir  work,  we  allow  state  ambiguities  to  develop  (as  they  must  if  some 
events  are  unobserved)  but  require  that  these  be  resolvable  after  a  bounded  interval 
of  events.  While  this  difference  in  formxilations  is  qxdte  fundamental,  we  will  see 
that  the  concept  of  indistinguishability  introduced  by  Ramadge  plays  an  important 
role  in  oxir  work  as  well. 

In  addition  to  characterizing  observability  and  constructing  observers,  we  also 
introduce  a  notion  of  stability  that  we  feel  is  of  some  importance  more  generally  in 
characterizing  desirable  behavior  in  a  BEDS.  In  particular,  we  introduce  the  notion 


2  OBSERVABIUTY 


3 


of  resiliency  for  an  observer,  corresponding  to  its  ability  to  recover  from  a  finite  buret 
of  errors. 

In  the  next  section,  we  introduce  the  mathematical  framework  considered  in  this 
paper  and  address  the  problem  of  observabihty.  In  particular,  we  characterize  obsei^'- 
ability  and  related  notions  of  always  observabihty  and  observability  with  a  delay.  We 
provide  polynomial  tests  for  these  notions  and  algorithms  to  construct  appropriate 
observers.  In  Section  3,  we  turn  our  attention  to  complexity  issues.  We  show  that 
an  observer  may  have  an  exponential  number  of  states.  Since  the  observer  itself  can 
be  implemented  in  polynomial  time,  complexity  is  only  important  for  stabilization  by 
output  feedback.  In  Section  4,  we  characterize  resilient  observability,  and  construct  a 
resilient  observer.  Finally,  in  Section  5,  we  summarize  our  results  and  discuss  several 
directions  for  further  work. 

2  Observability 

2.1  Background  and  Preliminaries 

The  class  of  systems  we  consider  are  nondeterministic  finite-state  automata  with 
intermittent  event  observations.  The  basic  object  of  interest  is  the  triple; 

G'  =  (X,S,r)  (2.1) 

where  X  is  the  finite  set  of  states,  with  n  =  |X|,  E  is  the  finite  set  of  possible 
events,  and  F  C  S  is  the  set  of  observable  events.  The  dynamics  of  the  system  are 
characterized  by  two  functions  /  and  d: 

x[k  -f  1]  e  f{x[k],  a[k  +  Ij) 

-f  1]  6  d(x[fc]) 


(2.2) 

(2.3) 
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Here,  x[k]  €  X  is  the  state  after  the  A:th  event,  and  a[k  +1]  G  S  is  the  {k  +  l)st 
event.  The  function  d  :  X  — 2^  is  a  set- valued  function  that  specifies  the  set  of 
possible  events  defined  at  each  state  (so  that,  in  general,  not  all  events  are  possible 
from  each  state),  and  the  function /  :  X  x'E  —*  2^  is  also  set-valued,  so  that  the  state 
following  a  particular  event  is  not  necessarily  known  with  certainty.  Note  that  /  can 
be  extended  to  act  on  strings  over  S  by  f{x,  (Tj  •  •  •  cr„)  =  /(/  •  •  ■  /(a;,  (Ti),  •  •  •  a„). 

In  calculating  the  complexity  of  algorithms  that  we  present  in  this  paper,  we  will 
assume  that  the  number  of  transitions  defined  at  each  state,  |/ {x,  S)  |  for  each  x  G  A', 
is  small.  It  is  otherwise  straightforward  to  recompute  the  complexity  of  algorithms  in 
order  to  account  for  \f{x,  E)|.  In  the  investigations  of  control  of  DEDS,  one  typically 
introduces  control  by  allowing  it  to  influence  the  set  of  possible  events  specified  by  d. 
We  do  not  introduce  it  here  as  it  is  not  needed  for  the  present  investigation. 

Our  model  of  the  output  process  is  quite  simple:  whenever  an  event  in  F  occurs, 
we  observe  it;  otherwise,  we  see  nothing.  Specifically,  we  define  the  output  function 
/i:S-^ru{e},  where  e  is  the  “null  transition”,  by 


h{a)  = 


<j 

e 


if  <7  G  r 

otherwise 


(2.4) 


Then,  our  output  equation  is 


7[A:  -I-  1]  =  h{a[k  -f  1]) 


(2.5) 


Note  that  h  can  be  thought  of  as  a  map  from  S*  to  F*,  where  F*  denotes  the  set 
of  all  strings  of  finite  length  with  elements  in  F,  including  the  empty  string  e.  In 
particular,  •  cr„)  =  h{ai)  •  ■  ■  h{an).  The  quadruple  A  =  {G,  f,d,h)  representing 

our  system  can  also  be  visualized  graphically  as  in  Figure  2.1.  Here,  circles  denote 
states,  and  events  are  represented  by  arcs.  The  first  symbol  in  each  arc  label  denotes 
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Figure  2.1:  A  Simple  Example 

the  event,  while  the  symbol  following  “/”  denotes  the  corresponding  output.  Thus,  in 
this  example,  X  —  {0, 1,2, 3, 4, 5},  E  =  {a,/3,d,7},  and  F  =  {a,/?}. 

There  are  several  basic  notions  that  we  will  need  in  our  investigation.  The  first  is 
the  notion  of  liveness.  Intuitively,  a  system  is  alive  if  it  cannot  reach  a  point  at  which 
no  event  is  possible.  That  is,  A  is  alive  if  Vx  G  A^,  d(x)  ^  0.  We  will  assume  that 
this  is  the  case.  A  second  notion  that  we  need  is  the  composition  of  two  automata, 
Ai  =  {Gi,fi,di,hi)  which  share  some  common  events.  Specifically,  let  ^  =  Si  n  S2 
and,  for  simplicity,  assume  that  Fi  n  ^  =  F2  fl  5  (i.e.,  any  shared  event  observable 
in  one  system  is  also  observable  in  the  other).  The  dynamics  of  the  composition 
are  specified  by  allowing  each  automaton  to  operate  as  it  would  in  isolation  except 
that  when  a  shared  event  occurs,  it  must  occur  in  both  systems.  Mathematically,  we 
denote  the  composition  by  A12  =  Ai  ||  A2  =  {Gu,  /12,  di2,  hi2),  where 

Gi2  = 


(Ai  X  A2,  Si  U  S2,  Fi  U  F2) 


(2.6) 
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f  12{X,  or) 

=  /i(a;i,cr)  X /2(a^2,o-) 

(2.7) 

di2ix) 

=  (<f](xi)  n^)  u  ((^2(3^2)  n  5)  u  (c(i(a"i)  n  d2{x2)) 

(2.8) 

hi{(r)  if  <T  €  Fi 

hi2{<y) 

=  < 

h2{cr)  if  <T  e  F2 

(2.9) 

e  otherwise 

.. 

Here  we  have  extended  each  /,  to  all  of  S,  in  the  trivial  way,  namely,  /i(x,,  cr)  =  Xi  if 
cr  ^  S,-.  Note  also  that  hi2  given  by  (2.9)  is  well-defined. 

Two  issues  often  studied  in  computer  science  in  the  context  of  such  compositions 
is  liveness  (i.e.,  the  absence  of  deadlocks)  and  fairness.  Such  a  composition  is  fair 
if  it  is  impossible  for  an  infinite  number  of  transitions  to  occur  in  one  system  alone 
without  any  transitions  occinrring  in  the  other.  In  our  present  context,  in  which  we 
will  be  composing  systems  and  observers,  liveness  will  not  be  an  issue  and  fairness 
will  be  guaranteed  by  assumption  on  our  BEDS. 

Another  property  we  would  like  the  BEDS  under  investigation  to  have  is  that 
observations  occur  with  some  regularity.  Specifically,  since  we  are  only  observing 
events  in  F  in  our  automaton  A,  we  will  not  want  it  to  be  possible  for  our  BEBS 
to  generate  arbitrarily  long  sequences  of  unobserv'able  events,  i.e.,  events  in  F,  the 
complement  of  F.  A  necessary  condition  for  this  is  that  if  we  remove  the  observable 
events,  the  resulting  automaton  /i|F  =  (G,  /,  dnF,  h)  must  not  be  aUve.  However,  we 
actually  want  more  than  this,  namely  that  every  trajectory  in  A|F  is  killed  in  finite 
time  by  being  forced  into  a  state  x  for  which  c((x)  flF  =  0.  This  condition  can  be  stated 
in  terms  of  the  notion  of  stability  introduced  in  [12]  which  we  will  also  use  in  the 
next  section  to  characterize  the  notion  of  observability  introduced  in  this  paper:  Our 
notion  of  stability  is  a  notion  of  recovery  from  any  possible  error  in  a  finite  number 
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of  transitions.  Specifically,  we  assume  that  we  have  identified  a  set  of  “good”  states 
(the  set  E  in  the  following  definition),  and  we  define  this  notion  of  recovery  in  two 
stages  as  follows: 

Definition  2.1  Let  E  be  o  specified  subset  of  A^.  A  state  a:  e  is  £-pre-stable  if 
every  trajectory  starting  from  x  passes  through  £  in  a  finite  number  of  transitions. 
The  state  s  e  A  is  £^-stabie  if  every  state  reachabie  from  x  is  £;-pre-stabie.  The 
DEDS  is  £-stabie  if  every  a:  g  A"  is  £-stabie,  □ 

Note  that  if  x  is  £^-stable,  then  every  trajectory  from  x  visits  E  infinitely  often  and 
indeed  at  intervals  separated  by  at  most  n  events  [12].  Also,  as  shown  in  [12],  a 
necessary  and  sufficient  condition  for  JS-stability  of  A  is  the  absence  of  cycles  that 
do  not  pass  through  E.  Here,  a  cycle  is  a  finite  sequence  of  states  a:i,a:2, . . .  Xk,  with 
so  that  there  exists  an  event  sequence  s  that  allows  the  system  to  follow 
this  sequence  of  states.  We  refer  the  reader  to  [12]  for  a  more  complete  discussion  of 
this  subject  and  for  an  O(n^)  test  for  E-stability  of  a  DEDS. 

It  is  not  difficult  to  see  that  an  equivalent  condition  to  our  DEDS  being  unable 
to  generate  arbitrarily  long  sequences  of  unobservable  events  is  that  if  we  remove 
the  observable  events,  the  resulting  automaton  A|r  =  (G, /, dnr,A)  must  be  D- 
stable,  where  D  is  the  set  of  states  that  only  have  observable  transitions  defined,  i.e., 
E  =  {x  G  A|d(x)  n  r  =  0}^.  This  is  not  difficult  to  check  and  will  be  assumed. 

Finally,  let  us  introduce  some  notations  that  we  will  find  useful: 

•  Let  X  -4®  y  denote  the  statement  that  state  y  is  reached  from  x  via  the  oc¬ 
currence  of  event  sequence  s.  Also,  let  x  — +*  y  denote  that  x  reaches  y  in  any 

^In  [12],  we  have  defined  stability  for  live  systems.  Although,  AjP  is  not  alive,  its  trajectories 
can  only  die  in  D,  and  thus,  our  results  on  stability  will  carry  to  this  case. 
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number  of  transitions,  including  none.  We  also  define  the  reach  of  a:  in  ^  as: 

i?(A,a;)  =  {y  €  A'’ jar  — y}  (2.10) 

Finally,  given  X'  C  X,  we  let  R{A,X')  =  UxeA''  R{A,x). 

•  Let 

Yo  =  (a:  e  A'l  py  e  A',7  e  S,  such  that  a- e /(y,7)}  (2.11) 

Yi  =  {x  G  X\3y  e  X,'f  e  r,  such  that  X  €  /(y,7)}  (2.12) 

Y  =  FoUri  (2.13) 

Thus,  Y  is  the  set  of  states  x  such  that  either  there  exists  an  observable  tran¬ 
sition  defined  from  some  state  y  to  x  (as  captured  in  Yj )  or  x  has  no  transitions 
defined  to  it  (as  captured  in  Iq)-  Let  q  =  lyi. 

•  Let  L(A,  x)  denote  the  language  generated  by  A,  from  the  state  x  €  X,  i.e., 
L{A^  x)  is  the  set  of  all  possible  event  trajectories  of  finite  length  that  can  be 
generated  if  the  system  is  started  from  the  state  x.  Given  s  e  L(.4,  x)  for  some 
X,  let  5/  denote  the  final  event  in  s  and  let 

Lj{A,x)  =  {s  G  L{A,x)  and  s/  €  F}  (2.14) 

be  the  set  of  strings  in.  L[  A.  x)  that  have  an  observable  event  as  its  final  event. 
Similarly,  Li{A,x)  denotes  the  set  of  strings  of  L/(A,  x)  that  contain  one  ob¬ 
servable  event,  and  given  some  7  €  F,  L~^{A,x)  denotes  the  set  of  strings  of 
L\{A,x)  that  have  7  as  the  observable  event. 

•  Given  5  €  L{A,  x)  such  that  s  —  pr,  p  is  termed  a  prefix  of  s  and  we  use  s /p  to 
denote  the  corresponding  suffix  r,  i.e.,  the  remaining  part  of  s  after  p  is  taken 


out. 
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Output  String 

Perfect  state  knowledge 

Figure  2.2:  Notion  of  Observability:  The  state  is  known  perfectly  only  at  the  indicated 
instants.  Ambiguity  may  develop  between  these  but  is  resolved  in  a  bounded  number 
of  steps. 

2.2  State  Observability 

As  mentioned  in  the  Introduction  and  as  illustrated  in  Figure  2.2,  we  term  a  system 
observable  if  we  can  use  the  observation  sequence  j[k]  to  determine  the  current 
state  exactly  at  intermittent  (but  not  necessarily  fixed)  points  in  time  separated  by  a 
bounded  number  of  events.  The  precise  definition  is  as  follows: 

Definition  2.2  A  is  observable  if  there  exists  some  integer  such  that  Vr  € 

V5  €  L{A,x)  such  that  |5|  >  Uo,  there  exists  a  prefix  of  s.  p  e  Lf{A,x),  such  that 
I'S/pI  <  f{x,p)  is  single  valued,  and  Vy  e  X,t  e  Lf{A,y):  h{t)  =  h{p)  ==^ 

This  definition  states  the  following:  Take  any  sufficiently  long  string,  s,  that  can 
be  generated  from  any  initial  state  x.  For  an  observable  system,  we  can  then  find  a 
prefix  p  of  5  such  that  p  takes  a:  to  a  unique  state  and  the  length  of  the  remaining 
suffix  is  bounded  by  some  integer  Also,  for  any  other  string  t,  from  some  initial 
state  y,  such  that  t  has  the  same  output  string  as  p,  we  require  that  t  takes  y  to  the 
same,  unique  state  to  which  p  takes  x. 
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Let  us  note  some  very  important  implications  of  this  definition.  First,  the  string  p 
need  not  be  of  length  one.  Thus,  while  from  the  definition  we  will  know  the  state  after 
p  is  observed,  we  may  not  know  it  at  earlier  points.  Furthermore,  since  p  E  L /(A,  x), 
when  we  do  kno-w  the  state,  that  state  will  necessarily  lie  in  Y.  That  is,  since  we 
only  observe  events  in  F,  the  only  possible  times  at  which  we  might  know  the  state 
is  at  points  at  which  events  in  F  occur,  i.e.,  points  at  which  x[k]  E  V.  Observability 
is  in  fact  weaker,  since  in  particular,  in  an  observable  system,  we  need  not  know  the 
state  every  time  it  enters  Y  or  even  every  time  it  visits  a  particular  state  in  all 
we  can  be  assured  is  that  we  will  know  the  state  at  points  separated  by  n  or  fewer 
events,  and  that  when  we  know  the  state,  it  will  be  in  Y. 

This  suggests  a  straightforward  design  of  an  observer  that  produces  “estimates” 
of  the  state  of  the  system  after  each  observation  7[fc]  E  F.  Each  such  estimate  is  a 
subset  of  Y  corresponding  to  the  set  of  possible  states  into  which  A  transitioned  when 
the  last  observable  event  occurred.  The  state  space  for  the  observer  is  a  subset  Z  of 
2^  ,  and  the  events  and  observable  events  are  both  F.  What  this  observer  must  do  is 
the  following:  Suppose  that  the  present  observer  estimate  is  i[A:]  E  2^'  and  that  the 
next  output  is  7[^:  + 1].  The  observer  must  then  account  for  the  possible  occurrence  of 
one  or  more  unobservable  events  prior  to  7[/i:  -f  1]  and  then  the  occurrence  of  7[^’  +  l]: 

x[^'  +  1]  =  u;(x[A-;],7[^-  +  1])  =  Ur€fi(.4|r,i[fc]) /(^,  7[^"  +  1])  (2.15) 

7[A:  +  1]€  (2.16) 

The  set  Z  is  then  in  the  reach  of  {F}  using  these  dynamics.  Note  that  once  the  first 
observable  transition  occurs,  the  state  x[/:]  is  in  fact  a  subset  of  Fi.  However,  before 
this  point,  we  have  no  knowledge  of  the  state.  Thus  the  choice  of  initial  state  is  an 
issue  that  must  be  resolved.  Note  first  that  taking  Fi  as  the  initial  state  does  not 
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Figure  2.3:  Observer  for  the  system  in  Figure  2.1 

work  in  general,  as  there  may  be  states  in  Yi  which  can  be  reached  by  observable 
transitions  only  from  transient  states.  Thus  we  must  augment  Yi  in  order  for  the 
dynamics  (2.15)  and  (2.16)  to  determine  the  correct  state  estimate  sequence.  It  is 
easily  shown  that  Y,  as  we  have  defined  it  is  the  smallest  subset  of  X  that  contains 
Yi  and  which,  when  used  as  the  initial  state  of  the  observer,  allows  (2.15)  and  (2.16) 
to  produce  the  correct  estimate  sequence. 

Our  observer  then  is  the  BEDS  O  =  (F,w,v,i),  where  F  —  (Z,  F,  F)  and  ^  is  the 
identity  output  function.  The  observer  for  the  example  in  Figure  2.1  is  illustrated  in 
Figure  2.3.  Note  that  the  set  of  allowable  events  [A:])  defined  in  (2.16)  characterizes 
all  possibilities  for  the  next  observable  event  given  the  set  of  possible  states  x[A:].  In 
general,  u(:r[fc])  ^  F  for  all  i.e.,  not  all  sequences  in  F*  can  actually  occur  in 
our  system  A.  If  such  an  unallowable  sequence  is  observed,  an  error  has  obviously 
occurred.  In  Section  4,  we  will  deal  with  this  in  order  to  define  the  composition  of  A 
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and  0  in  our  treatment  of  resiliency.  Observability,  however,  can  be  considered  by 
examining  0  by  itself.  Specifically,  let  E  =  0  Z  be  the  singleton  states  of 

0.  The  following  result  ties  observability  with  stability: 

Proposition  2.3  A  is  observable  iff  E  is  nonempty  and  0  is  E-stabie. 

Proof:  Note  first  that  E  must  necessarily  be  nonempty  for  the  system  to  be  observable. 
Thus  we  assume  that  this  is  true  and  focus  then  on  necessity  and  sufficiency  of  E- 
stability.  Tb  prove  necessity,  assume  the  contrary.  Then  [12]  there  exists  a  cycle 
X]X2  ■  ■  ■  Xk  —  xi  in  O  for  which  |a:,|  >  1  for  all  i.  Let  5  denote  the  output  sequence 
producing  this  cycle.  Then,  an  arbitrarily  long  repetition  of  this  sequence  is  a  feasible 
output  sequence  for  A.  If  this  occurs,  we  will  never  know  the  current  state  exactly. 

Now'  suppose  that  0  is  ^-stable,  and  let  iio  =  njZj.  Thanks  to  ^-stability,  the 
trajectories  from  all  observer  states  go  through  E  in  at  most  jZj  observations.  Since 
we  also  assumed  that  A  cannot  generate  arbitrarily  long  sequences  of  unobservable 
events,  for  any  output  that  the  system  can  generate,  the  observer  goes  through  sin¬ 
gleton  states  at  intervals  of  at  most  Uq  events.  Let  us  now  show  that  Definition  2.2 
is  satisfied:  Given  x  E  X  and  s  €  L(A,x)  such  that  |s|  >  rio,  let  p  E  Lf{A,x)  be  a 
prefix  of  s  such  that  [s/pj  <  Uo  and  u;({F},  h{p))  =  x  E  E.  The  existence  of  such  a 
p  is  guaranteed  thanks  to  E-stability.  Furthermore,  since  f  is  a  singleton,  f{x,p)  is 
clearly  single  valued.  Finally,  to  show  that 

Vp  EX,t  E  Lj[A,y)  :  h{i)  =  h{p)  f{y,t)  =  f{x,p), 

let  us  assume  the  contrary,  i.e.,  let  us  assume  that  there  exists  some  y  E  X  and 
t  E  Lf{A,y)  such  that  h{t)  =  h{p)  and  f{y,t)  ^  /(a:,p).  However,  this  implies  that 
X  cannot  be  a  singleton,  and  we  achieve  a  contradiction.  Therefore,  Definition  2.2  is 
satisfied  and  A  is  observable.  □ 
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Later  in  this  section,  we  show  that  a  generally  tight  upper  bound  on  the  interval 
between  observer  visits  to  singleton  states  is  nq^  in  the  worst  case,  and  [9]  illustrates 
a  class  of  systems  for  which  this  bound  is  in  fact  tight.  Note  that  the  observer  DEDS 
in  Figure  2.3  is  stable  with  respect  to  {0,2}  so  that  the  system  in  Figure  2.1  is 
observable. 

It  is  interesting  to  contrast  our  notion  of  observability  with  that  used  in  [13].  In 
particular,  in  [13]  it  is  required  that  the  state  is  known  at  all  times.  Therefore,  it 
must  be  that  E  =  X  and  that  once  the  observer  enters  E,  it  is  trapped  there  forever. 
In  contrast,  we  may  have  E  substantially  smaller  than  A'  and  furthermore,  we  allow 
the  observer  state  to  leave  E,  as  long  as  it  returns  in  the  future. 

Let  us  also  make  a  first  few  comments  about  computational  complexity.  Note  that 
the  cardinality  of  Z,  the  observer  state  space  is  bounded  by  2^.  Thus,  using  the  sta¬ 
bility  test  in  [12]  we  immediately  have  an  0(2^^)  test  for  observability.  In  Section  3, 
we  will  provide  tighter  bounds  on  the  size  of  Z.  Independently  of  this,  however,  we 
can  devise  an  observability  test  that  is  polynomial  in  q.  In  particular,  the  reason  for 
the  apparent  complexity  of  the  test  for  observability  is  the  size  of  the  observer  state 
space.  An  important  point  to  note  is  that  the  observer  is  a  deterministic  automaton, 
i.e.,  it  tells  us  exactly  the  set  of  possible  current  states  given  the  observed  output.  Td 
test  for  observability,  however,  all  we  really  want  to  know  is  if  there  are  recurring 
points  in  time  at  which  aU  ambiguity  in  the  current  state  vanishes.  Fortunately,  it 
is  possible  to  construct  a  nondeterministic  automaton  that  captures  this  with  a  dra¬ 
matically  smaller  state  space.  Specifically,  given  A,  construct  A',  a  nondeterministic 
automaton  with  state  space  Y  and  event  set  F  such  that  A'  generates  the  same  out¬ 
put  language  as  A  (see  Figure  2.4  for  A'  corresponding  to  the  example  in  Figure  2.1). 
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Figure  2.4;  A'  Corresponding  to  the  Example  in  Figure  2.1 

Let  P  —  Y  X  Y  and  construct  an  automaton  Op  with  state  space  P  and  event  set  F 
such  that 

fopiVil)  =  (/'(2^:7)  U/'(2/,7))  X  (/'(a;,7)  U/'(?/,7))  (2.17) 

dop{p)  -  d'{x)Ud'{y)  (2.18) 

where  /'  is  the  transition  map  of  A' ,  p  —  {x,y)  6  P,  7  6  F,  and  we  define  f'{x,^)  as 
0  if  7  0  d'{x).  Note  that  since  it  is  nondeterministic,  Op  is  certainly  not  an  observer 
for  A.  However,  if  its  state  ever  evolves  deterministically  to  a  state  of  the  form  (x,  x), 
the  automaton  A  must  be  in  state  x.  Thus,  we  have: 

Proposition  2.4  A  is  observable  iff  Op  is  Pp-stable  where  Ep  =  {(x,2:)|ar  g  K} 
Proof:  Straightforward  by  assuming  contrary  in  each  direction.  □ 

Since  |P|  =  this  gives  m  a  test  for  observability  that  has  complexity  O(g^).  This 
also  leads  to  an  upper  bound  on  the  maximum  number  of  transitions  it  takes  to  reach 
a  singleton  state,  n,,  (see  Definition  2.2): 

Corollary  2.5  If  A  is  observable,  then  no  <  nq^. 

Proof:  If  A  is  observable,  then  all  trajectories  from  an  observer  state  reach  a  singleton 
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state  in  at  most  transitions,  since  otherwise  Op  is  not  Ep-stahle.  In  addition, 
betweemeach  observable  transition,  there  can  be  at  most  n  unobservable  transitions. 
Therefore,  an  upper  bound  for  no  is  nq'^.  □ 

2.3  Persistent  States  and  Always-Observabiiity 

In  this  section,  we  address  a  problem  of  finding  a  set  of  always-observable  states,  in 
the  sense  that,  except  perhaps  for  a  finite  number  of  transitions  in  the  beginning, 
the  observer  has  perfect  knowledge  of  the  current  state  every  time  the  system  goes 
through  always-observable  states.  We  characterize  this  notion  as  follows: 

Definition  2.6  A  state  a;  €  A"  is  always-observable  iff  there  exists  an  integer 
such  that  for  all  y  e  A'  and  ^  e  L{A,y)  such  that  x  e  f{,y,s)  and  |.s|  >  n^. 
u;({r},/.(.))  =  {a:}.  □ 

Note  that  an  always-observable  state  has  to  be  a  singleton  state  in  the  observer.  Fur¬ 
thermore,  it  should  not  be  an  element  of  any  other  persistent  state  of  the  observer 
which  is  not  a  singleton,  where  a  persistent  state  is  one  that  may  be  visited  after  an 
arbitrarily  long  string  of  events.  States  that  are  on  a  cycle  are  certainly  persistent. 
The  following  definition  also  characterizes  as  persistent  those  states  that  are  in  be¬ 
tween  cycles,  since  these  states,  although  they  may  be  visited  at  most  once,  may  have 
this  visit  occur  after  an  arbitrarily  long  sequence  of  transitions.  For  this  reason,  they 
must  also  be  accounted  for  in  characterizing  always-observability: 

Definition  2.7  A  state  x  e  Xis  a  persistent  state  if  there  exists  some  y  ^  X.  s  e 


L{A,y),  |5|  >  n,  such  that  x  e  f{y-,s).  A  subset  Q  of  X  is  termed  a  persistent  set  if 
oW  X  eQ  are  persistent  states.  □ 
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Clearly,  the  class  of  persistent  sets  are  closed  under  unions  and  intersections.  Thus, 
a  maximal  persistent  set  exists  and  let  Xr  denote  this  set.  In  order  to  compute  Xr, 
we  compute  Xr  which,  by  the  following  result,  is  the  maximal  set  of  states  stable  (in 
fact,  just  pre-stable,  [12])  with  respect  to  the  dead  states  in  where  A~^  denotes 
A  with  the  transitions  reversed,  i.e.,  A~^  =  {G,  ,d~^)  where; 

=  {y  e  X\x  e  f{y,(T)}  (2.19) 

d~^{x)  =  {(j  6  S|3y  G  A' such  that  x  G /(y,  O')}  (2.20) 

and  the  dead  states  in  A~^,  Di,  are  those  states  x  such  that  d~^{x)  =  0: 

Proposition  2.8  Xr  is  the  maximal  D, -stable  set, 

Proof:  (C)  Straightforward  since  all  trajectories  from  Xr  in  A~^  are  killed  in  a  finite 
number  of  transitions. 

(D)  Suppose  X  is  A-stable,  then  all  trajectories  from  x  in  are  killed  in  a  finite 
number  of  transitions.  Therefore  x  £  Xr.  2 

The  following  proposition  provides  a  mathematical  characterization  of  always- 
observability: 

Proposition  2.9  A  persistent  state  a;  g  X  is  an  always-observable  state  iff 

•  X  only  has  observable  transitions  defined  to  it,  i.e.,  d~'^{x)  c  F,  and 

•  for  all  yeX.se  Lf{A,y)  such  that  |5|  >  nq^  and  x  e  f{y,s).  any  string  with 

the  same  output  as  5  only  goes  to  x,  i.e.,  for  all  z  e  X.t  e  Lf{A,  z)  such  that 
h{t)  =  h(s),  f{zG)  =  2:.  □ 

A  subset  (5  of  A"  is  termed  an  always  observable  set  if  allx  e  Q  are  always-observable 


states.  A  system  A  is  termed  a-observable  if  all  trajectories  in  A  visit  always- 
observable  states  infinitely  often.  Note  that  this  notion  of  a-observability  is  stronger 
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than  our  notion  of  observability,  but  still  weaker  than  the  usual  system-theoretic  no¬ 
tion  of  observability  which  corresponds  to  requiring  all  persistent  states  to  be  always- 
observable. 

Clearly,  the  class  of  always-obser\'able  sets  are  closed  under  unions  and  intersec¬ 
tions.  Thus,  a  maximal  always-observable  set,  Xa  exists.  As  explained  above,  an 
always-observable  state  x  should  only  have  observable  transitions  defined  to  it,  and 
the  only  persistent  state  of  the  obseiwer  that  x  is  in  should  be  the  singleton  state 
{a:}: 

Corollary  2.10  A  persistent  state  x  is  always-observable  iff  d~'^{x)  c  T  and  if  i  is  a 
persistent  observer  state  and  x  g  x  then  x  is  the  singleton  state  {x}. 

Proof:  (— >)  The  proof  for  the  first  statement  is  obvious,  lb  prove  the  second  statement 
just  assume  the  contrary. 

(•*— )  Straightforward.  □ 

As  we  did  before,  we  can  use  Op  to  check  if  a  state  is  always  observable: 

Proposition  2.11  A  persistent  state  x  is  always-observable  iff  d“^(x)  c  randif(x,7/) 
for  some  y  is  a  persistent  state  of  Op.  then  y  =  x. 

Proof:  Straightforward  by  assuming  the  contrary  in  each  direction.  □ 

Thus,  Xa  can  simply  be  computed  by  performing  this  0{q'^)  test  for  each  persistent 
state  X  such  that  d~^  (x)  C  F.  Then,  a  test  for  a-observability  is  just  a  test  for 
-stability: 


Proposition  2.12  A  system  A  is  a-observabie  iff  it  is  -stable. 
Proof:  Straightforward. 


□ 
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2.4  Indistinguishabiiity 

Ramadge,  in  [13],  introduces  a  notion  of  indistinguishabiiity  which  he  refers  to  as 
“possible  indistinguishabiiity”.  This  turns  out  to  be  an  extremely  useful  notion  in  our 
context  as  well.  In  this  section,  we  reformulate  his  definition,  present  an  algorithm 
for  it  in  our  framework,  and  use  it,  in  Section  2.5  to  study  observability  with  delay 
and  in  Section  3  in  analyzing  the  complexity  of  the  observer  O. 

A  pair  of  states  (x,y)  is  termed  to  be  an  indistinguishable  pair  if  they  share  an 
infinite  length  output  sequence.  Since  the  obseiwer  uses  the  states  in  Y,  for  notational 
simplicity,  we  will  define  indistinguishabiiity  for  states  in  Y. 

Definition  2.13  Given  x  e  X,  let  L^{A,x)  denote  the  set  of  infinite  length  event 
trajectories  generated  from  x,  and  /i(Aoo(A,x))  the  corresponding  set  of  output 
trajectories.  The  pair  {x,y)  e  Y  x  Y  is  an  indistinguishable  pair  if  h{Loo{A,x))  n 
h{LooiA,y))  ^  0,  i.e.,  if  there  is  an  infinite  length  output  sequence  that  could 
have  been  generated  starting  from  either  x  or  y.  □ 

As  an  example,  note  that  in  Figure  2.1,  (0,2)  is  an  indistinguishable  pair  since  an 
infinite  string  of  a’s  is  a  possible  output  sequence  from  either  state.  Since  we  have 
seen  that  this  system  is  observable,  we  now  see  that  the  absence  of  indistinguishable 
pairs  is  not  required  for  observability.  ^ 

The  following  lemma  establishes  a  recursion  for  indistinguishable  pairs: 

Lemma  2.14  (x,y)  is  an  indistinguishable  pair  iff  there  exists  5  e  Li(A,x),  and 
t  £  Li{A,y)  such  that  h{s)  =  h{t)  and  there  exists  an  indistinguishable  pair  {z,w)  e 

^In  general,  if  there  are  indistinguishable  states,  we  w'ill  not  always  be  able  to  determine  which 
of  these  states  we  were  in  at  some  point  in  the  past,  but  this  does  not  rule  out  the  possibility  that 
we  may  occasionally  know  the  current  state. 
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f{x,s)  X  f{y,i). 

Proof:  (— ^)  Assume  contraiy,  then  for  all  (2,  w)  €  /  (a:,  s)xf{y,t)  all  output  sequences 
differ  in  a  finite  number  of  transitions.  Therefore,  (a;,  y)  cannot  be  indistinguishable 
and  we  establish  a  contradiction. 

(^)  Straightforward.  □ 

A  subset  Ip  of  Y  x  Y  is  called  an  indistinguishable  pair  set  if  every  element  (x,  y) 
of  Ip  is  an  indistinguishable  pair.  Obviously,  indistinguishable  pair  sets  are  closed 
under  arbitrary  unions  and  intersections.  Thanks  to  the  preceding  lemma,  we  have 
the  following  for  the  computation  of  the  maximal  indistinguishable  pair  set: 

Proposition  2.15  The  following  algorithm  computes  the  maximal  set  of  indistin¬ 
guishable  pairs,  hi.  and  it  has  complexity  0{q''): 

Algorithm  Let  h  =  Y  x  Y'  and  iterate; 

7^+1  =  {(x,y)  €  Ik\fop{{x,rj),-])  n  h  ^  <Ii  for  some  7} 

Terminate  when  h+i  =  h-  Then  hf  =  Ik- 

Proof:  The  correctness  of  the  algorithm  is  easily  verified  by  using  the  definition  of 
the  automaton  Op  and  Lemma  2.14.  lb  obtain  a  bound  on  computational  complexity, 
note  that  Iq  has  elements  and  that  the  sequence  of  sets  h  is  strictly  decreasing  up 
to  some  step  at  which  the  algorithm  terminates.  Thus,  this  algorithm  terminates  in 
at  most  q'^  steps.  Since  also  at  most  q^  states  are  visited  at  each  step,  the  complexify 
of  this  algorithm  is  0(5^).  □ 

2.5  Observability  with  a  Delay 

For  observability  with  a  delay,  we  require  that  we  have  perfect  knowledge  of  the  state 
some  finite  number  of  transitions  into  the  past  (as  opposed  to  the  current  state)  at 
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^  Current  Time  | 
Perfect  state  knowledge 


Current  Time 


Output  String 


Figure  2.5:  Observability  with  a  Delay:  The  state,  a  finite  number  of  transitions  into 
the  past,  is  known  perfectly  at  intermittent  (but  not  necessarily  fixed)  points  in  time. 

System  Observer 


Figure  2.6:  Example  for  WD  Observability 

intermittent  (but  not  necessarily  fixed)  points  in  time  (see  Figure  2.5).^  For  example, 
in  Figure  2.6,  where  all  events  are  assumed  to  be  observable,  we  have  a  system 
which  is  not  observable.  When  a  or  0  occurs,  we  do  not  have  perfect  knowledge  of 
the  current  state  but  if  a  (respectively,  0)  occurs,  we  know  that  the  previous  state  is 

^This  is  a  concept  which  is  of  use  in  studying  other  aspects  of  DEDS  such  as  invertibility,  [11]. 
In  addition,  delay  in  the  knowledge  of  the  state  may  not  be  of  concern  in  the  hierarchical  study  of 
DEDS  where  we  represent  strings  of  lower  level  events  by  a  single  event  at  the  higher  level,  [10]. 
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state  2  (respectively,  state  1).  Our  formulation  of  this  weak  notion  of  observability  is 
based  on  Definition  2.2,  in  which  the  prefix  p  of  5  characterized  the  point  at  which 
the  current  state  is  known  perfectly.  In  the  following  definition,  we  use  a  prefix  pi 
oi  s  and  a  prefix  po  of  Pi)  where  h{pi)  characterizes  the  information  required  to  have 
perfect  knowledge  of  the  state  at  the  time  in  the  past  just  after  the  occurrence  of  P2. 
For  example,  in  Figure  2.6,  for  a  string  s  =  a/3aa,  Pi  =  s  and  p2  =  afSa.  Perfect 
knowledge  of  the  state  is  insured  by  the  third  item  below  which  (similar  to  Definition 
2.2)  states  that  for  all  strings  ii  which  produce  the  same  output  as  pi ,  the  state  after 
i2  is  the  same  as  the  state  after  p2  where  1.2  is  the  prefix  of  t-i  that  produces  the  same 
output  as  p2 . 

Definition  2.16  A  is  observable  with  a  delay  (WD  observable)  if  Vx  €  e  L{A,x) 
such  that  |s|  >  nq'^,  there  exists  prefixes  pi  e  Lf{A,x)  of  s  and  P2  G  Lj{A,x)  of  pi 
such  that 

•  |•s/P2|  <  nq^> 

•  /(x,p2)  is  single  valued, 

•  \/y  e  X  and  fj  e  Lj{A,y)\  h{1i)  =  h(pi)  f{y,h)  =  v/here  t2  is  the 

prefix  of  ti  such  that  h(i2)  =  h{p2).  □ 

A  test  for  WD  observability  can  be  constructed  based  on  the  following:  If  at  any 
time  the  observer  estimate,  x,  is  such  that  all  pairs  in  x  are  distinguishable,  then  by 
using  future  outputs  we  can  distinguish  between  the  states  in  x  in  a  finite  number 
of  transitions.  For  example,  in  Figure  2.6,  since  (1,2)  is  not  an  indistinguishable 
pair,  in  a  finite  number  of  transitions,  just  one  transition  in  this  case,  we  can  dis¬ 
tinguish  between  1  and  2.  In  general,  a  necessary  and  sufficient  condition  for  WD 
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observability  is  that  the  observer  is  stable  with  respect  to  the  states  that  only  include 
distinguishable  pairs: 

Proposition  2. 1 7  A  is  WD  observable  iff  0  is  Ew-stable  where 

Ew  =  e  ^1  there  exists  t\o  x,y  e  x,x  4  y  such  that  {x.y)  e  Im] 


Proof:  (— >)  Assume  contrary,  thfe  there  exists  a  cycle  x^  •  •  -x^xi  in  O  such  that 
Xi  D  {xi,y,}  where  x,  y,  and  (x,,  j/i)  is  an  indistinguishable  pair  for  all  i.  Let  w 
be  a  string  such  that  xj  E  f{x^,w)  and  the  event  sequence  h{w)  drives  0  precisely 
through  the  cycle  Xj, . . . ,  x^,  Xi.  Referring  to  Definition  2.16,  let  x  =  Xj,  s  =  w‘ 
for  some  large  enough  I  such  that  b|  >  nq'^.  Also  pick  y  =  y^.  For  any  prefix 
Pi  €  Lf{A,x)  of  s,  there  exists  some  ti  G  Lj[A,y)  such  that  h{ti)  =  h{pi).  On 
the  other  hand,  for  all  prefixes  p2  of  pi  and  corresponding  prefix  ^2  of  such  that 
h{t2)  =  h{p2),  we  have  that  x,-  G  /(x,p2)  and  j/;  G  f{yA2)  for  some  i.  Since  x,-  ^  yi 
for  all  i,  f{x,p2)  ^  f{yA2)  and  we  establish  a  contradiction  with  the  third  item  in 
Definition  2.16,  and  A  cannot  be  WTD  observable.  Therefore,  O  must  be  -stable. 
(+— )  Straightforward  □ 

As  we  did  with  observability,  we  use  the  automaton  Op  to  construct  a  polynomial 
test  for  WD  observability.  It  is  necessary  and  sufficient  to  check  stability  of  Op  with 
respect  to  the  distinguishable  pairs: 

Proposition  2.18  A  is  WD  observable  iff  Op  is  Enp-s^oble  where  Edp  =  ^ 

Proof:  Straightforward  by  assuming  the  contrary  in  each  direction.  □ 


Figure  2.6  is  a  very  simple  example  that  illustrates  this  result. 
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3  Observer  Implementation  and  Complexity 

Recall  that  the  next  state  of  the  observer  is  expressed  as  a  function  of  the  current 
state  and  the  next  event  as  follows  (Equation  2.15): 


x[k  +  1]  -  Ux6«(.4|r,£[fc])  +  1])  (3-1) 

which  can  also  be  expressed  as: 

x[k  +  1]  =  UeiW  mlk  +  1])  (3-2) 

where 

-  f{R{A\r,x),'f)  (3.3) 

Clearly,  f  can  be  computed  beforehand  for  all  x  E  Y  and  7  C  F.  This  computation 
has  (9(|r|g^)  complexity  and  the  result  occupies  OdFj^^)  memory.  Thus,  computation 
of  the  next  state  of  the  observer  simply  becomes  taking  the  union  of  r{x,'y[k  +  1]) 
for  all  X  E  X,  which  has  O(g^)  complexity.  Since  also,  observability  can  be  tested  in 
polynomial  time,  computational  complexity  associated  with  the  observability  problem 
by  itself  is  polynomial. 

While  testing  observability  and  the  implementation  of  the  observer  do  not  require 
the  complete  enumeration  of  the  observer  state  space,  this  enumeration  is  needed  for 
other  design  and  analysis  problems.  This  is  the  case,  for  example,  in  the  study  of 
stabilization  by  output  feedback  which  we  will  address  in  a  subsequent  paper.  Thus, 
it  is  of  interest  to  characterize  the  cardinality  of  the  observer.  Unfortunately,  even 
if  A  is  observable  (or,  for  the  same  matter,  a-observable),  the  observer  may  have  an 
exponential  number  of  states.  As  an  example,  consider  the  following  class  of  systems 
which  is  a  slightly  modified  version  of  Figure  1  in  [19]: 


3  OBSERVER  IMPLEMENTATION  AND  COMPLEXITY 


24 


Figure  3.7:  Example  for  Exponential  Observer  State  Space 

We  index  this  class  by  an  integer  i.  The  system  corresponding  to  i  =  3  is  illus¬ 
trated  in  Figure  3.7,  where  all  events  are  observable.  The  set  of  events  for  this  class 
consists  of  Q:,yS,7,  and  6i  through  6,-.  There  are  2i{i  -f-  1)  -I-  1  states  and  one  of  them 
is  state  0,  whereas  the  rest  is  indexed  by  pairs  of  integers  (j, /)  for  j  ranging  from 
1  to  i  -I-  1  and  I  ranging  from  1  to  2i.  It  is  not  difficult  to  check  that  this  system 
is  observable  and  that  0  is  an  always -observable  state.  One  can  also  show  that  the 
number  of  states  in  the  observer  is  0(2').  Td  see  why,  suppose  that  the  system  is  in 
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state  0.  If  a  {respectively,  occurs,  then  the  next  state  is  in  the  set  {11,13,... 16} 
(respectively,  {12, . . .  16}).  With  the  next  event,  the  ambiguity  in  the  current  state  is 
reduced  to  four  states,  then  three  states,  etc.  Furthermore,  due  to  the  particular  way 
the  transitions  a  and  ^  are  defined,  the  estimates  corresponding  to  each  sequence 
consisting  of  events  q  and  ^  are  different.  It  is  this  fact  that  leads  to  the  exponential 
growth  in  the  observer  state  space. 

"Wfiiile  the  observer  state  space  is  exponential  for  the  preceding  example,  there 
are  many  cases  in  which  the  cardinality  of  the  state  space  is  much  smaller.  Thus, 
it  is  of  interest  to  characterize  structure  and  characteristics  of  DEDS  that  may  lead 
to  significantly  smaller  observer  state  spaces.  In  the  remainder  of  this  section,  we 
develop  a  bound  on  the  size  of  the  observer  state  space  which,  for  certain  DEDS, 
yields  a  much  smaller  number  than  2".  First  of  all,  we  restrict  ourselves  to  put  a 
bound  on  Zr,  the  persistent  part  of  the  observer  state  space  Z.  For  any  problem  such 
as  stabilization,  focusing  on  long-term  behavior  such  as  stability,  it  is  only  Zr  that 
is  of  concern  (for  example,  in  output  feedback  design  we  can  simply  let  the  system 
evolve  without  active  control  during  the  start-up  period — ^until  0  enters  Zr — and  at 
that  point  we  can  begin  to  apply  feedback). 

We  begin  our  analysis  by  noting  that  two  states  x  and  y  are  elements  of  the  same 
persistent  observer  state  iff  the  pair  [x.  y)  is  indistinguishable  in  .4“^  For  example, 
in  Figure  3.7,  states  32  and  35  are  indistinguishable  if  we  reverse  all  the  transi¬ 
tions  in  this  automaton  (since  these  two  states  then  share  the  string,  for  example, 
aa/3{^6-ij3/3a)’').  Therefore,  the  observer  estimate  after  observing  jlaa  is 

the  set  {32,33,35}  which  includes  the  states  32  and  35.  We  use  I]^  to  denote  the 
maximal  set  of  indistinguishable  pairs  in  A~^  and  this  set  will  play  a  central  role  in 
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the  computation  of  our  boimd. 

Let  Yr  denote  the  persistent  part  of  Y  in  our  original  automaton  A  (i.e.,  these  are 
elements  of  Y  that  may  be  visited  after  arbitrarily  long  sequences  of  events).  For  any 
subset  5  C  Yr,  we  let  ri{S)  denote  the  number  of  persistent  observer  states  which 
include  different  subsets  ol  S\ 

C  S'IS  ni  =  Q  for  some  x  G  Zr]\  (3.4) 

Then,  clearly  \Zr\  =  ?; ()'/?.)•  Td  compute  a  bound,  we  first  find  a  collection  of  dis¬ 
joint  subsets  of  Yr  such  that  each  persistent  observer  state  is  a  subset  of  exactly 
one  element  of  this  collection:  First  of  all,  we  term  a  collection  B  =  {5], ....  5^}  of 
disjoint  subsets  Bi  of  Yr  a  y^-partition  if  (J,  Bi  =  Yr.  A  y^-partition  B  is  termed  a 
Yr  -  distinguishability-partition  if  each  pair  indistinguishable  in  the  inverse  automa¬ 
ton  is  in  some  element  of  this  partition,  i.e.,  for  ail  (x,j/)  G  {a:,y}  C  Bi  G  B. 
Since  all  pairs  in  an  observer  state  are  indistinguishable  in  the  inverse  automaton, 
they  all  must  be  in  the  same  element  of  B.  For  calculating  a  tight  bound,  we  need  to 
have  the  elements  of  B  as  small  as  possible.  Thus,  a  i^-distinguishability-partition 
B  is  termed  fine  if  for  each  Bi  G  B,  the  only  5j-distinguishability-partition  is  Bi 
itself.  Clearly,  there  is  only  one  y/j-distinguishability-partition  that  is  also  fine,  and 
we  denote  this  partition  by  B-^.Note  that  B^  is  the  quotient  of  Yr  by  the  transitive 
closure  of  indistinguishability  in  the  inverse  automaton,  and  there  are  well-known 
polynomial  algorithms  for  computing  B^  (see,  for  example  [16]).  For  Figure  3.7,  B^ 
consists  of  the  sets  {0},  {11, . . . ,  16},  {21, . . .  ,26},  {31, . . . ,  36},  {41}, . . . ,  {46}.  We 
then  have  the  following  result: 


Proposition  3.1  For  a\\  x  E  Zr,  x  c  Bi  G  B^  for  some  i. 
Proof:  Straightforward. 


□ 
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The  following  result  immediately  follows  from  the  above  proposition: 

Corollary  3.2  Given  S  c  Yr,  and  =  {5,},  r]{S)  =  n  5).  Therefore, 

\ZR\  =  E.v{Bi)  □ 

Corollary  3.3  We  have  the  following  first  bound  on  the  cardinalify  of  the  persistent 
part  of  the  observer  state  space: 

The  “minus  1”  in  this  equation  corresponds  to  the  fact  that  we  can  omit  the  empty 
set. 

While  this  bound  is  exponential,  it  may  be  much  tighter  than  2^^  '  —  1  if  the 
partition  is  quite  fine.  Furthermore,  if  B,-  is  large,  in  many  cases  rj{Bi)  will  be 
much  smaller  than  2 1'®' I  —  1.  Now,  we  proceed  with  showing  that  by  exploiting  the 
structure  of  the  system  we  may  compute  a  possibly  tighter  bound  for  Zr  and  we  use 
Corollary  3.2  for  this.  For  any  S  C  Yr,  let  cp{S,  a  )  be  the  set  of  states  that  can  reach 
a  state  in  S  with  a  string  that  has  a  as  its  last  and  only  obser\'able  event,  i.e., 

6{S,a)  =  R{A-^T.,f-\S,a))  (3.5) 

Thus,  given  a,  there  are  rj{0{S,  a))  observer  states  that  may  make  a  transition,  with 
a,  to  an  observer  state  which  is  a  subset  of  S.  Thus,  if  we  add  these  for  all  such 
events  a,  we  get  an  upper  bound  for  7? (5): 

T]iS)  (3.6) 

But,  by  using  Corollary  3.2,  we  can  decompose  <?i(5,  a)  using  the  partition  B^  and 
compute  7]  for  each  part.  We  thus  have  the  following  result,  where  we  assume  that 
S  C  Bi  e  B^  since  otherwise  we  can  decompose  S  itself  using  the  partition: 
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Proposition  3.4  Given  S  c  Bi  e  . 

r}{S)  <  -  1,  n<3S(5,a))) 

aer  j 


Proof:  Straightforward.  □ 

We  can  apply  this  to  Yfi  and  thus  get  the  following: 

Corollary  3.5  Given 

IZrI  =  ri(YR)  =  <  £,mm(2l‘>.l  -  IX.-erEj’liB,  n  □ 

Now,  a  recursive  application  of  Proposition  3.4  will  give  us  a  bound  that  gets  pro¬ 
gressively  tighter  with  each  application.  If  at  any  time  —  1  is  a  better  bound 
for  some  set  S,  then  clearly,  there  is  no  reason  to  apply  the  proposition  further  after 
that  step.  However,  this  algorithm  may  in  general  require  an  exponential  amount  of 
computation  if  iterated  to  the  fullest.  For  example,  this  is  the  case  for  the  example 
in  Figure  3.7.  On  the  other  hand,  the  algorithm  may  be  terminated  at  any  step  by 
using  the  bound  2l‘^l  —  1.  Alternatively,  the  following  approximation  can  be  used  to 
compute  a  bound  using  less  computation. 

We  now  replace  the  summation  over  F  in  Proposition  3.4  by  an  approximation  as 
follows:  Given  S,Q  C  V,  let  p{S,Q)  denote  the  number  of  observable  events  that 
take  states  in  i?(A|r,  Q)  to  states  in  S: 

p{S,  Q)  =  \{ae  diR{A\T,  Q))  n  ri/(i?(A|r,  Q),  a)  n  5  0}|  (3.7) 

First  of  all,  note  that 


T}{Bi  n  ^(5,  a))  <  p{S,  Bi  n  <i>{S^  F))  max  T]{Bi  fl  a-)) 


(3.8) 
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Since  computing  the  maximization  requires  computing  rj{Bi  fl  (f>[S^  a))  for  each  a.,  we 
replace  it  with  Tj{Bi  Pi  ^(5,  F))  instead.  Then, 

5;^  7?(B.  n  6{S,  a))  <  p{S,  B,  n  <i>{S,  TMB,  n  <^(5,  F))  (3.9) 

o6r 

We  thus  have  the  following  result: 

Proposition  3.6  Given  S  c  B{  e  , 

T]{S)  <  min(2l^l  -  p{S,Ti{S))rj{Ti{S))) 

i 

where 

r,-(5)  =  B,no(5.F) 


Proof:  Straightforward.  □ 

We  can  apply  this  result  to  Yfi  and  we  get: 

Corollary  3.7  Given  B^, 

\Zr\  =  <  Eimin(2l»'l  -  l,Ei/>(fl.,T,(B,))>)(T,(-e,)))  □ 

As  before,  Proposition  3.6  can  be  applied  recursively.  Alternately,  one  can  terminate 
this  algorithm  at  any  step  by  using  the  bound  2l‘^i  —  1.  It  is  not  known  in  general 
if  the  full  iteration  of  the  algorithm  requires  a  poljmomial  or  exponential  number  of 
steps.  However,  as  the  following  example  shows,  it  requires  a  linear  number  of  steps 
for  the  system  of  Figure  3.7  and  in  fact  yields  \Zfi\  exactly: 

Example  3.8  For  the  system  in  Figure  3.7,  consists  of  Bi  =  {0},B2  =  {11,.. .,16}, 
B3  =  {21,...,26},B4  =  {31,...,36},  B5  =  {41},B6  =  {42},B7  =  {43},B8  =  {44}, 
Bg  =  {45},  and  Bjo  =  {46}.  Let  us  use  t/,-  as  a  shorthand  for  r7(B,).  Then, 
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clearly,  r/i  =  7/5  =  •••  =  7?io  =  1.  On  the  other  hand,  since  ^(^2)  =  {0}  and 
f>{B2,  ti{B2))  =  2.t)2  <  2Tji  =  2.  Sinnilarly,  773  <  2772  =  4  and  77^  <  2773  =  8.  Therefore, 
for  this  example. 


\Zr\  <l+2  +  4  +  8  +  ]-fl  +  l  +  l  +  l  +  l  =  21 
and  in  fact,  this  is  the  exact  value  of  \Zii\.  □ 

We  conclude  this  section  by  presenting  the  following  class  of  systems  for  which  the 
cardinality  of  the  observer  state  space  is  linear  in  n  and  our  algorithm  for  computing 
a  bound  for  \Zr\  also  yields  \Zr\  exactly: 

Example  3.9  Consider  the  following  class  of  systems,  indexed  by  i  (see  Figure  3.8 
for  1  =  4):  The  set  of  events  for  this  class  consists  of  q,  p’,  6  and  7,  where  all  of  them 
are  observable.  There  are  2(7  + 1)  + 1  states  and  one  of  them  is  state  0.  The  event 
a  (respectiveiy,  /?)  defines  a  transition  from  0  to  the  odd  numbered  (respectively, 
even  numbered)  states.  The  event  S  defines  transitions  from  all  other  states  to 
state  0.  The  event  7  defines  a  transition  from  state  1  to  4,  from  2  to  3,  and  for 
all  other  states  j  with  i  >  3,  7  defines  a  transition  from  j  to  j  -F  2.  These  systems 
are  all  observable  (in  fact  a-observabie),  and  Zr  is  linear  in  i.  For  i  =  4, 
consists  of  Bi  =  {0}  and  B2  =  {1, . . . ,  10}.  Clearly,  771  =  1.  On  the  other  hand,  to 
calculate  772,  we  need  to  know  77({1, . . . ,  8}),  which  we  denote  by  773.  Similarly,  to 
calculate  773,  we  need  to  know  77({1,...,6}),  which  we  denote  by  774.  Denoting 
by  775,  and  77({l,2})  by  rje,  and  arguing  as  above,  we  see  that  we 
need  to  calculate  776  first.  Since  775  <  min(2^  277i)  =  2, 775  <  min(2^  277a  +  r/e)  =  4. 
Similarly,  774  <  6,  etc.,  and  thus  772  <  10.  Therefore,  \Zr\  <  1  +  10  =  11,  and  in  fact, 
this  is  the  exact  value  Zr.  □ 
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4  Resilient  Observers 

In  this  section,  we  introduce  the  possibility  of  measurement  error  in  our  model  and  ad¬ 
dress  a  problem  of  resilient  observabihty.  Specifically,  suppose  that  the  output  string 
that  we  observe  contains  errors.  Then  a  major  question  is  how  this  measurement 
error  affects  the  behavior  of  the  observer.  In  particular,  does  it  lead  to  catastrophic 
error  propagation,  or  does  the  observer  resume  desired,  correct  behavior  in  a  finite 
number  of  transitions.  Let  us  consider  three  types  of  measiuement  errors: 

•  Although  the  system  did  not  have  any  transitions,  a  transition  has  been  mis¬ 
takenly  inserted. 

•  A  transition  has  been  mistaken  for  another. 

•  An  observable  transition  has  been  totally  missed  in  the  output  string. 

An  output  corrupted  with  a  burst  of  such  measurement  errors  can  be  modelled  by 
taking  out  a  finite  length  string  from  the  output  string  and  replacing  it  with  an 
arbitrary  finite  length  string  over  F.  Our  goal  here  is  to  design  resihent  observers  so 
that  after  a  burst  of  measurement  errors,  the  observer  resumes  correct  behavior  in  a 
finite  number  of  transitions,  i.e.,  the  actual  state  of  the  system  is  an  element  of  the 
observer  estimate.  This  is  illustrated  in  Figure  4.9. 

Since  we  allow  the  burst  to  be  any  string  in  F,  the  corrupted  output  is  not  neces¬ 
sarily  an  output  string  that  can  be  generated  by  a  state  in  X,  and  thus  the  response 
of  0,  as  we  have  specified  it  so  far,  is  undefined  for  this  erroneous  string.  Thus,  we 
must  extend  the  observer  so  that  it  is  defined  for  all  such  strings: 

Definition  4.1  An  observer  is  a  map  B  :  F*  — >  2^'  so  that  for  those  strings  that  can 
occur  in  A,  B  yields  the  same  behavior  as  O,  i.e.,  for  any  x  e  X  and  s  e  Lf{A,x), 
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■  *  f  f  *  ^ 
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Accurate  ^ 
estimates 


Output  String 


Figure  4.9:  Resilient  Observability:  Following  a  burst  of  measurement  errors,  ob¬ 
server  estimates  can  only  be  wrong  for  a  finite  number  of  transitions. 


we  require  that 

B{h{s))  -  {ye  Y\3z  e  Kr  €  Lj{A,z)  such  that  y  e  f{z,r)  and  h{r)  =  h{s)}  □ 


There  is  one  special  observer  that  will  deserve  particular  attention.  Specifically, 
not  all  events  7  may  be  defined  at  certain  states  of  O.  For  any  such  state  and 
event,  we  then  define  a  transition,  back  to  the  “know  nothing”  state  {F} — ^i.e.,  the 
observer  is  simply  reset  if  an  inconsistent  event  occurs.  We  denote  this  observer  by 
Or  =  {F,wr,  vr),  and  mathematically,  it  is  obtained  from  O  as  follows: 


u)fl(r,7) 


1  w{x,'y)  if  7  €  u(r) 
{y}  otherwise 

=  r 


(4.1) 

(4.2) 


As  before,  the  initial  state  of  Or  is  the  state  {y}.  Note  that  Or  does  define  a  map 
from  r*  to  2^  and  thus,  by  a  mild  abuse  of  terminology,  we  refer  to  the  system  or 
the  map  as  an  observer.  Note  also  that  Or  is  not  stable  with  respect  to  its  singleton 
states,  but  A  ||  Or  is  stable  with  respect  to  the  composite  states  at  which  the  observer 
is  at  a  singleton  state  and  the  system  is  also  at  that  state: 


Proposition  4.2  A  ||  Or  is  stable  with  respect  to  {(x,  {x})|x  e  y}. 
Proof:  Straightforward. 


□ 
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In  order  to  define  what  we  mean  by  a  resilient  observer,  we  also  need  to  define 
a  notion  to  represent  the  discrepancy  between  two  strings.  There  are  many  ways 
to  define  this,  all  of  which  depend  on  the  reference  point  for  comparing  two  strings. 
Since  the  actual  point  that  the  burst  ends  is  important  for  our  definition  of  resiliencj', 
we  compare  two  strings  from  their  beginning  and  we  represent  their  discrepancy  by 
how  much  they  differ  at  the  end.  In  particular,  we  say  that  the  discrepancy  between 
two  strings  s  and  i  is  of  length  at  most  i,  denoted  by 

^{s,i)<i  (4.3) 

if  there  exists  a  prefix,  p,  of  both  ^  and  i  such  that  |.s/p|  <  i  and  \i/p\  <  i.  Now  we 
can  precisely  define  what  we  mean  by  a  resilient  observer  B; 

Definition  4.3  B  is  a  resilient  observer  if  for  oil  strings  s  that  can  be  generated  by 
A,  i.e., 

•  Vr  E  X, 

•  V5  G  Lf{A,  x), 

for  all  possible  output  strings  i  which  can  be  generated  by  corrupting  h{s)  with  a 
finite  length  burst,  i.e., 

•  V  positive  integers  i. 

•  Vf  e  r*  such  that  <f(f,  h(s))  <  i, 

and  for  all  possible  completions  r  of  s  with  a  suffix  of  length  at  least  nq^  (so  that 
the  observer  has  enough  time  to  recover),  i.e., 

•  Vr  E  Lf{A,x)  such  that  lr|  >  |5|  +  nq^  and  5  is  a  prefix  of  r. 
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the  observer  estimate,  in  response  to  the  corrupted  output  th{rjs).  includes  the 
current  state  of  the  system; 

f{x,r)  C  B(f/i(r/5)) 

□ 

Note  that  in  case  of  a  number  of  finite  bursts  that  are  spaced  far  enough  apart,  the 
estimates  of  a  resilient  observer  are  guaranteed  to  be  correct  starting  from  a  finite 
number  of  transitions  following  each  burst,  up  to  the  occurrence  of  the  next  burst. 
On  the  other  hand,  if  the  number  of  correct  measurements  between  each  burst  is  less 
than  q^,  then  we  cannot  guarantee  any  correct  state  estimates. 

Existence  of  a  resilient  obsei%'er  does  not  necessarily  imply  that  the  system  is 
observable.  That  is,  all  we  require  is  that  resilient  observers  resume  correct  estimates 
in  a  finite  number  of  transitions  following  a  burst. 

Proposition  4.4  A  resilient  observer  B,  for  A.  exists  iff  A  |1  Or  is  -stable,  where 

El  =  {(a;,x)jx  E  i  E  Zj 


Proof:  (— i-)  Straightfomard  by  assuming  the  contrai^^ 

(<— )  Obvious,  since  then  Or  is  a  resilient  observer.  □ 

What  this  proposition  implies  is  that  we  only  need  to  look  at  Or  to  check  re¬ 
siliency.  The  stability  condition  on  Or  simply  states  that  after  a  finite  number  of 
steps  following  an  error,  the  composite  A  ||  Or  returns  to  a  state  so  that  the  esti¬ 
mate  provided  by  the  state  x  of  0  does  indeed  include  the  true  state,  x,  of  A.  In 
general,  since  the  observer  state  space  may  be  exponential  in  g,  checking  stability 
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may  be  computationally  difficult.  However,  if  we  have  WD  observability — which  can 
be  checked  by  a  test  of  polynomial  complexity — ^resiliencj'  is  guaranteed: 

Lemma  4.5  If  A  is  WD  observable  then  A  ||  On  is  £i -stable. 

Proof:  Straightforward  by  assuming  the  contrary,  since  if  A  |j  Or  is  not  jEi -stable, 
there  exists  a  cycle  (xi, xj ),...,  (a- in  Y  x  Z  such  that  a-,  ^  for  all 
i.  Thus,  there  exists  a  cycle  {xi,yi),. . .  {xk,yk),  in  )'  x  V  such  that  37,  G  i,- 

and  {xi,yi)  is  an  indistinguishable  pair,  for  all  i.  By  Proposition  2.18,  A  is  not  WD 
observable,  and  we  establish  a  contradiction.  Therefore,  A  ||  Or  is  Ej-stable.  □ 

When  we  have  observability  or  WD  observability.  Or  actually  has  a  much  stronger 
property.  We  need  the  following  definition: 

Definition  4.6  A  system  is  resiliently  observable  (respectively,  resiiiently  WD  observ¬ 
able)  if  the  system  is  observable  (respectively,  WD  observable)  and  a  resilient 
observer  exists.  □ 

Consider  the  observer  Or  and  its  composition,  A  ||  Or,  with  A.  Let  E2  be  the  set 
of  composite  states  where  the  observer  makes  the  precise  and  correct  estimate,  i.e., 
E2  =  {(x.  {a:})|a:  G  -Y}.  Then,  we  have  the  following: 

Proposition  4.7  A  is  resiliently  observable  iff  A  ||  Or  is  £'2-stabie. 

Proof:  Straightforward  by  using  Lemma  4.5.  □ 

Finally,  the  following  result  shows  that  we  do  not  need  any  test  for  resilient  observ¬ 
ability,  since  obseiwability  itself  is  necessary  and  sufficient  for  resilient  observability: 

Proposition  4.8  A  is  resiliently  observable  (respectively  resiliently  WD  observable) 
and  Or  is  a  resilient  observer  iff  A  is  observable  (respectively  WD  observable). 


5  CONCLUSIONS 


37 


Proof:  (— >)  Obvious. 

(■f— )  Straightforward  using  Lemma  4.5.  □ 

5  Conclusions 

In  this  paper,  we  have  introduced  notions  of  observability,  and  resiliencj'  for  discrete- 
event  systems  described  by  finite-state  automata,  and  we  have  developed  polynomial 
algorithms  to  test  for  observability,  resiliency,  and  to  construct  resilient  observers. 
We  showed  that  a  central  element  in  these  concepts  is  the  notion  of  stability  that 
we  considered  in  a  previous  paper  [12].  We  have  also  shown  that  an  observer  may 
be  implemented  in  polynomial  time,  but  the  cardinality  of  its  state  space  may  be 
exponential.  Although,  this  issue  is  not  of  practical  importance  for  the  problems 
discussed  in  this  paper,  it  is  of  central  importance  for  problems  of  stabilization  by 
output  feedback  that  will  be  addressed  in  a  forthcoming  paper. 

As  we  have  seen,  if  a  system  is  observable,  the  canonic  observer  On  is  always 
resilient,  i.e.,  catastrophic  error  propagation  will  never  occur.  In  a  subsequent  paper, 
we  address  the  problem  of  invertibility,  i.e.,  of  deducing  the  entire  event  string  from 
the  output  string,  and  we  also  introduce  the  notion  of  error  recovery  or  resiliency  in 
that  context.  In  that  case,  invertibility  is  not  enough  to  guarantee  the  existence  of 
a  resilient  inverter,  and  further  conditions  are  required  to  ensure  resiliency  and  the 
absence  of  catastrophic  error  propagation.  These  notions  would  seem  to  be  of  value 
in  trying  to  characterize  the  coordinated  behavior  of  interconnections  of  DEDS  and 
the  ability  of  the  composite  to  recover  from  a  loss  of  coordination. 
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